The ICO exists to empower you through information.

What to expect from the ICO when making a complaint under the UK Extension to the EU-US Data Privacy Framework or about US national security agencies

Share

About the UK Extension to the EU-US Data Privacy Framework

The UK Extension to the EU-US Data Privacy Framework (UK Extension) became operational on 12 October 2023, after the United Kingdom adequacy regulations came into force. The regulations confirm that the UK Extension ensures an adequate level of protection for personal data transferred from a controller or processor in the UK to organisations based in the USA.

The EU-US Data Privacy Framework includes a set of Principles and other requirements. US-based organisations wishing to join the Framework must self-certify that they meet and comply with these standards to protect personal information. The UK Extension allows certified US companies to opt into receiving UK personal data through the Framework. If an individual is concerned about the way their information is handled, there are a number of different redress mechanisms that can be used.

In addition, the US President’s Executive Order 14086 sets further protections to make sure that US national security agencies can only access transferred personal data through signals intelligence activities where it is necessary and proportionate to protect national security. It also introduces an independent and binding mechanism for individuals to seek redress if they believe their personal data was accessed by US national security agencies in breach of applicable US law.

Please note that the redress mechanism for complaints against the US-based organisation is entirely separate and distinct from the mechanism for handling concerns about access to transferred personal data by US national security agencies through signals intelligence activities. The ICO has different roles in respect of each mechanism.

Complaints about the US organisation under the UK Extension

The US Department of Commerce oversee the UK Extension, including the registration applications, monitoring that the participating organisations continue to comply with their obligations and handle complaints about those organisations which falsely claim to be part of the scheme. It has a dedicated website that offers advice and publishes the register of all participating US-based organisations. It is important to remember that if the US-based organisation receiving transferred personal data is not registered, the protections of the UK Extension will not apply.

Enforcement of the Framework is carried out by the US Federal Trade Commission or the US Department of Transportation.

The ICO support you with your complaint, but we will only be able to handle your complaint if it relates to human resources data transferred in relation to an employment relationship (past or present) or where the US-based organisation has voluntarily agreed to cooperate with us in resolving the complaint.

Depending on the nature of the complaint, you may be able to take your complaint further if you are dissatisfied with the outcome.

You can use our complaints tool to find out what to do next and raise a complaint if you are concerned about how your information has been used by a US-based organisation that is signed up to the UK Extension, or falsely claiming to be signed up to it.

If you have specific questions, please call our helpline on 0303 123 1113.

What do I need to do before I can complain to the ICO?

You can complain to the ICO about the way a US-based organisation that is, or falsely claiming to be registered, to the UK Extension.

Before you complain to us about a US-based organisations registered to the UK Extension, you need to have:

  • complained directly to the organisation;
  • asked for clarification from the organisation if you received a response you don’t understand; and
  • followed up with the organisation if you have not received a response after 45 days.

If you have followed all these steps or have not received a response from the organisation, you can submit your complaint.

You can only use this service if the ICO is listed as a competent authority for the organisation you are complaining about, or if the organisation is transferring Human Resources (HR) data. You can find out if the ICO is the competent authority on the Data Privacy Framework website.


If you wish to request advice on how to raise a complaint about a UK organisation sending personal data to a US-based organisation under the UK Extension, you can submit a request for advice

This includes requests for advice on using a registered organisation’s in-house complaint process, the ICO’s complaint process or the Binding Arbitration Mechanism process.

What happens when I submit my complaint to the ICO?

When you complain to us, if it is something we can consider under the UK Extension to the EU-US Data Privacy Framework, one of our case officers will look into it.

The case officer will:

  • weigh up the facts of what’s happened, fairly and impartially;
  • raise it with the US-based organisation; and
  • tell you the outcome.

If we think the US-based organisation has infringed the Data Protection Framework Principles, we will give advice so the organisation can put things right and improve their information rights practices. We may also inform the relevant US authorities responsible as it may be appropriate for them to consider the complaint dependent upon the nature of the request.

When you complain about a US-organisation falsely claiming to the registered on the UK Extension to the EU-US Data Privacy Framework, one of our case officers will:

  • make some checks; and
  • refer it on to the US Department of Commerce.

How long will it take to deal with my complaint?

We aim to deal with complaints as soon as we can. Some complaints can be dealt with quickly but some may require more work and take longer.

What are the possible outcomes of my complaint?

The UK Extension sets out a process for us to consider complaints and to inform you of the outcome. There are a number of potential outcomes for a complaint under the UK Extension:

  1. We may tell you the organisation has done nothing wrong and there hasn't been an infringement of the UK Extension to the EU-US Data Privacy Framework.
  2. We may provide advice to an organisation that they have not complied with the Data Privacy Framework Principles and ask that they take steps to put things right.
  3. We may also make referrals to relevant US authorities such as the Department of Commerce, the Federal Trade Commission and the Department of Transportation. They will consider your complaint and take any action needed against that US-based organisation.

Can the ICO award compensation?

No. The ICO can't award compensation, even when we give our opinion that an organisation has infringed the UK Extension to the EU-US Data Privacy Framework.

Complaints about US national security agencies access (signals intelligence)

The US Government has made sure that US national security agencies put in place safeguards and limitations, as well as have a complaints process, in relation to their collection and access to information of people in the UK (signals intelligence activities).

This means that people in the UK are able to complain if they reasonably believe that their personal information has been transferred from the UK to a US-based organisation (either using the UK Extension or any other transfer mechanism) and was then accessed by a national security agency for national security purposes. However, you do not need to raise your complaint with the organisation first.

The ICO does not investigate and determine the outcome of this type of complaint, but we will check that your complaint meets requirements to be considered by the relevant US authority, the Civil Liberties Protection Officer of the Office of the Director of National Intelligence at the first stage.

We will then inform you of the outcome of the Office of the Director of National Intelligence’s decision. 

If you are unhappy with this decision, you can tell us you wish to challenge it and we will pass it on to the US Data Protection Review Court. They will review your request and the decision before giving a final and binding outcome.

You can use our complaint tool to find out what to do next and raise a complaint if you are concerned that your information has been collected or used by a US national security agency.

If you have specific questions, please call our helpline on 0303 123 1113. 

What can't the ICO do in this context?

In relation to both of the redress mechanisms:

  • We can't award compensation.
  • We can't look at complaints about processing of personal data by UK organisations or organisations not registered with the UK Extension other than US national security agencies. These would need to be considered under our standard complaints process.
  • We can't consider complaints that do not involve the processing of personal information. The information has to relate to living individuals.
  • We can't make an organisation apologise to you if things have gone wrong.